ARI SHAPIRO, HOST:
Today marks a deadline that President Trump set for himself. In January, he held a meeting to discuss government cybersecurity.
(SOUNDBITE OF ARCHIVED RECORDING)
PRESIDENT DONALD TRUMP: We must defend and protect federal networks and data. We operate these networks on behalf of the American people, and they are very important and very sacred.
SHAPIRO: Trump put out a statement that he would appoint a team to create a cyber security plan, quote, "within 90 days of taking office." This is day 90, and no plan has been announced. So we called up James Lewis of the Center for Strategic and International Studies. He directed a CSIS commission that made cybersecurity recommendations to Presidents Obama and Trump. I asked him when the Trump administration might actually roll out that plan.
JAMES LEWIS: They have once again said that it would be coming out probably by the end of the week. They've said that now for two or three weeks running. And you know how these things are. But I think there's some hope we can see something before the end of the month.
SHAPIRO: Tell us about the stakes here. Is this a system that can just keep running without any intervention by the current administration, or is the government really in dire need of a plan here?
LEWIS: The place where it needs help is on improving its own defenses. And one of the things that the Obama administration was thinking about at the end was the OPM hack, which was the Office of Personnel Management losing millions of records of federal employees to Chinese intelligence agencies. And a number of us realized in the OPM story, you had, you know, 14 people in OPM's IT shop versus the 1.6 million members of the People's Liberation Army. It's not a fair fight.
So I think one thing that would help a lot would be moving to manage services, moving to things people use in their daily lives like Gmail rather than trying to do your own email, moving to cloud services. The CIA uses a cloud service provided by a commercial provider. They don't do it themselves. The whole government would benefit if we could move. And so thinking about - this is really wonky; I apologize - how do you change acquisitions to improve cybersecurity?
SHAPIRO: Meaning contracting and the people who do the tech work...
SHAPIRO: ...For the government.
LEWIS: We're still as vulnerable as we were. There's been some improvement in, say, the electrical sector, some improvement in the defense sector. The banks have done better. The telecom sectors have done better. But we're still kind of uneven when it comes to all this.
And if anything, the threat has gotten more dynamic, more invasive. We all know of course that there's a new dimension, which is this kind of political interference. And that's where the nation as a whole needs to think a little bit more about, what's a strategy for countering Russian cyber activities aimed at disrupting our democracy?
SHAPIRO: I could imagine especially Trump opponents saying, oh, this administration doesn't care about cybersecurity because Russian involvement in the election may have helped the Trump campaign, et cetera. Do you see any evidence of that?
LEWIS: No. I've talked to the people in the White House who are responsible for this. There's not a lot. They have basically five political appointees doing this. That's not enough. But I know some of them, and they're very serious. They're good folks. I think they're going to try.
Are there internal tensions within the administration? That's true in all administrations. It's always something you see in the first year, but they're maybe a little more marked in this one. I have not seen anyone saying, let's backpedal on cybersecurity because we don't want to annoy the Russians. If anything, I've heard the opposite.
SHAPIRO: That's James Lewis, senior vice president of the Center for Strategic and International Studies. Thanks for joining us.
LEWIS: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.